Bad moon rising

Barely halfway through 2014, the year's already poised to become the scariest yet for digital security—topping even 2013's massive Target breach. We’ve seen hacks against big-name retailers like eBay, Michael’s, and Neiman Marcus—plus hotels, online forums, and numerous other websites. The current tally of compromised credit cards from major breaches is closing in on 5 million, and online accounts?—half a billion.

Beyond active attacks, go-to encryption tool TrueCrypt was lost, and we've suffered through the single biggest web security lapse ever. As we close in on the halfway point for 2014, here are the 10 biggest security stories so far.

Heartbleed bleeds the web

Thousands of major websites worldwide scrambled in April after a nasty little flaw turned up in OpenSSL—a widespread tool for securing online communications, including HTTPS websites. Dubbed Heartbleed, this devastating bug threatened to expose usernames and passwords, user data, and even the SSL keys sites use to securely identify themselves. The problem was widespread: affected sites included Instagram, Netflix, and Tumblr.

TrueCrypt shuts up shop

In May, customers were shocked to be suddenly rerouted from the TrueCrypt encryption software's website to the project’s SourceForge page. There, they found this message: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”

Breaches, breaches, and more breaches

A security review wouldn’t be complete without a roundup of major data breaches. EBay is the most notable victim: In May, the site announced a devastating data breach that included names, email and home addresses, phone numbers, dates of birth, and encrypted passwords. Reports put the number of affected users around 145 million.

La Oops

But sometimes, a breach deserves individual recognition—like the hack that Seagate-owned LaCie announced in April. The hard drive and peripheral storage maker said its online storefront had endured a whopping year-long data heist from March 27, 2013 to March 10, 2014. LaCie said it wasn’t sure what kind of data had been pilfered, but it may have included customer names, email addresses, credit card numbers, and card expiration dates. Crazy.

GnuTu Fail

Heartbleed wasn’t the only significant SSL/TLS bug in 2014. In February and March, both Apple and the Linux community were scrambling to fix flaws in their implementations of online security protocols. In Apple’s case, someone had mistakenly included an extra 'goto fail' programming statement that left encrypted data sent via SSL/TLS open to capture by hackers.

In the Linux case, the GnuTLS library had a programming flaw exposing user data to potential breaches, similar to Apple’s 'goto fail' problem. In the case of GnuTLS, however, it’s suspected the programming flaw existed for as long as 10 years—prompting Linux community leaders to say, “Huh, Gnu knew?” ( Groan —Ed.)

Pliable crypto-currency

Bitcoin security hit a road bump in February: A flaw dubbed “transaction malleability” led to attacks against several Bitcoin exchanges, according to Bitcoin news site Coindesk. The flaw could theoretically allow an attacker to substitute a phony transaction for the original one, thus redirecting Bitcoins from the intended recipient to the attacker.

Outlook snoop

Government agents aren’t the only snoops who might be plundering your Outlook.com inbox. Microsoft might also take a peek…at least if you’re up to no good. In March, Microsoft ‘fessed that it snooped on the personal email of both a blogger and a former employee, seeking evidence that the employee was leaking proprietary company information to the blogger. (To its credit, Microsoft revamped its privacy policy after the backlash.)

The case highlights how American digital due-process is woefully inadequate. After all, private emails sitting on third-party servers should be considered just as private as those love letters stashed in the back of your closet.

Gameover includes a peer-to-peer component, as well as online proxy servers and strong encryption, according to Krebs on Security. Gameover affects an estimated 500,000 to one million PCs worldwide, and the disruption—dubbed ‘Operation Tovar’—only served as a chance to clean up infected PCs. U.S authorities indicted Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia, on several criminal charges related to operating the botnet.

Google's end-to-end revenge

Revenge is a dish best served cold, and Google made sure its vengeance pie was well and truly cooled before serving it up to the National Security Agency. As the fallout over Edward Snowden's NSA revelations continues, Google announced it wanted to make end-to-end encryption for webmail easier to use with a new Chrome extension. Called End-to-End, the extension is currently in a public alpha phase and not yet ready for wide release. When it goes live, however, it will be one of several new projects promising to keep your most private emails secure from prying eyes and snooping government agencies.